Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Please help, Network compromised

Status
Not open for further replies.

helpme2pc

IS-IT--Management
Jun 5, 2005
17
US
I believe I have a network that someone has run a packet sniffer on it. We have a webfilter and we have seen hits to it from admin accounts and from people that aren't in the building when the hits happen. There is something weird going on. Any suggestions as to finding the possible sniffer? Luckily so far, nothing on the servers has changed, but it is only a mater of time. Thanks in advance for the help.
 
On this network, is the web server in the DMZ? Have there been a rash of unsuccessful logins in the IIS logs? It sounds more like someone is running an access program. Basically, takes a list of user names, a list of passwords, and runs it against the web server. You should be able to find out "who" the culprit is by looking at the IIS logs, and be able to block that IP in your firewall....
 
I'm sorry if I misled you, but this is an internal problem. At this point, there should be no access available from the internet side.
 
Have you enabled logging on IIS? This will tell you what you are looking for whether it is internal or external....
 
As far as finding a sniffer, I don't think you can. A sniffer is a passive listener to what's going by on the network. It doesn't broadcast or send anything to give away it's presence. And ANY computer (PC, laptop, server) on the network can be running a sniffer.

Network traffic from people who are not there could be innocent. If someone leaves their PC logged in, then some program tries to contact a web site for some reason, then that network traffic would be from a user who's not in the building. Some programs do reach out to hosts on the Internet at times (i.e. antivirus progs looking for updates, etc). If you know who the userids belong to, go see if they leave their computer logged on when they go home.

Why do you think it's a sniffer?
 
Basically, the story is that we have a web filter installed on the network. We can see when people hit sites that they're not suppsed to. The web filter logs both the username and the ip address of the machine that they were logged into. This place is a 24 hr operation with a paid staff during the day and volunteers (for the most part) both day and night. We have seen hits from day staff late evenings and overnights on occasions that we are sure that they aren't in the building. It became a concern but not a huge one until we began to see hits with the administrator login, which I am the only one who knows it. We have changed passwords on the accounts and it hasn't gotten any better. That's why I'm at a loss as to what to do next and came to you guys. I appreciate the help thus far, so thanks.
 
I'd first check the machines generating the hits. Then, put in an IDS or sniffer of your own and see what the traffic is.
 
Just some random thots...

If you have the IP address, have you located the machine? Is it more than one? Or just one? Can you do a stake-out some night? Maybe a strategically placed web cam.

Does it happen every night, or just some nights? If you see a pattern, maybe check it against work schedules.

I assume there would be supervisors at night. Can you talk to them and enlist their support in finding the person? This approach is only flawed if it's one of them.

Actually, since the person seems to have usernames and passwords, I would look for a keylogger instead of a sniffer. Maybe rerun virus scans (make sure your software finds keyloggers). Also try the normal set of freeware (SpyBot, AdAware, HiJackThis, CWShredder, etc). Also look for hardware keyloggers. There are tiny ones that plug between the keyboard and the PC (Keylogger).

You say you have a web filter installed. Why aren't you just blocking the sites that are being visited? Maybe instead of doing black list filtering, do white list filtering where the only sites accessible are ones that are approved and put on the list. This is a lot more oppressive, but that can put peer pressure on your "surfer" that's abusing the privilege if others know what he/she's doing.
 
This could also mean that nothing unusual is going on. The machine will often try to initiate connections on its own without user present at the workstation, example: a weather bug or similar software. You should check the desktops for installed software that maybe set for auto updates etc; this could be generating false positives when in reality no threat exists. Also, check computers for spyware that could trigger unattended connections.

Sniffer would not register on your web filter log, it is a passive tool it only collects data but if an active network scan was done internally it would not show external targets unless scan aims to find open outbound ports on the firewall if such implemented.
 
Ummm, also you need to verify if the administrator log you're seeing is for a local administrator or a network administrator. This should narrow your search down tremendously. Also you could have a trojan running from the compromised machine of an individual (especially if you're a Windows shop and haven't been patched properly). Also, examine your logs closely and make sure there's not a configuration error in the logging. What user if any is logged in on the IIS server?

CISSP,ISC2 Affiliate & Instructor, MCT, MCSE2K/2K3, MCSA, CEH, Security+, Network+, CTT+, A+
 
Thanks for all of the suggestions. I still don't have a fix yet, but I am still working on it. I am working through all of your suggestions. Since I am not there often, this has dragged on longer than it probably should. Luckily there doesn't seem to be any issues with the servers, just random blocked web hits.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top